This article originally appeared in TidBITS on 2016-03-30 at 12:31 p.m.
The permanent URL for this article is: http://tidbits.com/article/16377
Include images: Off

Make Sure You’re Getting OS X Security Data

by Adam C. Engst

A few weeks ago, Josh Centers wrote about an update to OS X 10.11 El Capitan’s System Integrity Protection that broke Ethernet for many Mac users briefly, before Apple pushed out a second update to resolve the problem (see “El Capitan System Integrity Protection Update Breaks Ethernet [1],” 29 February 2016). Josh’s article confused me for a bit, because the problem revolved around El Capitan’s Incompatible Kernel Extension Configuration Data file, but I could find no evidence of it being installed on either my iMac or MacBook Air.

Discussion in the comments on that article and on TidBITS Talk revealed the answer: I had not selected the “Install system data files and security updates” checkbox in the App Store pane of System Preferences.

[image link] [2]

(No time to read more of this article right now? Just make sure that checkbox is selected and get on with your life. We now return the rest of you to the regularly scheduled explanation of what’s going on.)

Why had I avoided such an important-sounding checkbox? Because Apple messed up the interface here in a big way. The top enclosing checkbox is clear: “Automatically check for updates.” Everyone should have that checked. The next one isn’t as simple: “Download newly available updates in the background.” That’s fine in most cases, but if you give network-connected presentations or are in bandwidth-constrained situations where Internet use without your knowledge might be problematic, turn it off. However, note what the interface says next: “You will be notified when the updates are ready to be installed.” Great! That’s exactly what I want to have happen — updates will be downloaded in the background and then I’ll be notified and get to choose when to install.

It would seem that the next three checkboxes are related, but that’s where Apple messed up. The next two — “Install app updates” and “Install OS X updates” — sound like “Install system data files and security updates,” but they work differently. When selected, those first two checkboxes tell the App Store app to install app and OS X updates automatically; if you leave them deselected, you’re instead notified of updates and given the opportunity install to them manually at a convenient time.

In contrast, if you fail to select “Install system data files and security updates,” you won’t be notified of these critical background security-related updates. These are not the same as Apple’s foreground updates with names like “Security Update 2016-002” — they fall into the “OS X updates” category.

So what are they? TidBITS Talk member Al Varnell, who works in the security community, shared what he knows in the discussions there, but warns that the information is incomplete because Apple has avoided documenting these systems due to the security implications. These critical background updates include at least the following:

I assume some of these files contain information used by security processes, as outlined in this Apple support article [3]. Gatekeeper enables OS X to avoid opening applications that aren’t signed. MRT likely stands for “Malware Removal Tool” since it appeared around the time of the MacDefender malware (see “Apple Responds to Increasingly Serious MacDefender Situation [4],” 25 May 2011) — Apple’s Security Update 2011-003 [5] could detect and remove MacDefender. And XProtect is part of OS X’s File Quarantine feature, which scans downloaded files for malware and blocks Web plug-ins with known vulnerabilities like Flash and Java. Incompatible Kernel Extension Configuration Data helps OS X disable old kernel extensions that may cause crashes, but it’s unclear what Core Suggestions Configuration Data and CoreLSKD Configuration Data contain. (You might also see Chinese Word List Update; I presume that’s not security-related.)

Apple needs to push out updates to these files based on new threats — if Apple’s engineers become aware of a new piece of malware, OS X’s security systems need to know about it as soon as possible to protect Mac users around the world. Disabling the “Install system data files and security updates” checkbox is, frankly, a terrible idea — it’s not installing code, and barring a mistake like Apple made in accidentally adding the Ethernet kernel extension to the Incompatible Kernel Extension Configuration Data file, it’s unlikely that allowing this security-related data to be updated could cause many problems.

So if you’ve deselected “Install system data files and security updates,” turn it back on and wait a day or two for Software Update to notice and update everything.

[image link] [6]

If you don’t want to wait, select that checkbox and then issue this command in Terminal.

sudo softwareupdate --background-critical

To verify that the updates have taken place, look in the Software > Installations category in System Information (as explained in “El Capitan System Integrity Protection Update Breaks Ethernet [7]”) — click the Date Installed column header twice to sort with the newest installations at the top.

[image link] [8]

For those who are constitutionally opposed to automatic updates, this is how you can get these critical background updates manually: select the checkbox, run the softwareupdate command above, verify that the updates have taken place, and then deselect the checkbox again.

It’s worth noting that, despite Apple’s policy of releasing security updates only for the current version of OS X and two versions prior, the company continues to update these security data files all the way back to 10.6 Snow Leopard, when the File Quarantine feature made its debut.

Regardless, Apple should clarify the importance of this checkbox by rewording it to something like “Install critical anti-malware definitions and system data.” Having it selected is presumably already the default, but wording like that should prevent unwitting users from disabling it. Plus, if that checkbox is not selected, Software Update should notify the user about each individual update, just like any other OS X update.

[1]: http://tidbits.com/article/16296
[2]: http://tidbits.com/resources/2016-03/App-Store-prefs-before.png
[3]: https://support.apple.com/en-us/HT201940
[4]: http://tidbits.com/article/12199
[5]: https://support.apple.com/en-us/HT202225
[6]: http://tidbits.com/resources/2016-03/App-Store-prefs-after.png
[7]: http://tidbits.com/article/16296
[8]: http://tidbits.com/resources/2016-03/System-Information-installations.png